🚀 new authentication module

2025-10-01 07:55:06 +02:00 · 2022-09-13 23:18:06 +02:00
parent 9453478d3f
commit 56be9eec50
46 changed files with 615 additions and 318 deletions
--- a/cluster/apps/authentication/glauth/config/groups.sops.toml
+++ b/cluster/apps/authentication/glauth/config/groups.sops.toml
@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:sjxgm11rLpMMX0WY45XoNmqEvTJdHgZwD2LBYxVOYEYEK9yVU4ibmimoDHn0eZKRjAG+zWXWPItmMoOFiBHCgYGueYPPjcFgHDy8y8hfFxh+SmIZdd4elQ2+BswuwIMLgK3B+T2dX9uihuqXQggDpWAcbb47ErEM3XNlvwWwfy2onNbJJBT1hdEatvB/baRrI1lxss5Y0c9+yBhpjqw=,iv:i2R7PBKXaRsLlyvvv7nRrt0B3/DKlMFPGPUBzdDrKMk=,tag:qI48NEaaZS8E/Oj/gI0e+Q==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuK0t1cGxMclcrN1VkblJm\nazY5ME9nMXNVVG8vTTJpV0kvVk1HaWNBaGtRCkVYaElLY09VRm5LRmhmand1SWl6\nSnJXR0VWZ3NCMWlJTjY2K2ZhaE01TmMKLS0tIHUxUEtzbTV2T2w4eHhNSTJsZGdK\nalBYbVVmdWpSZVJyUXZ6S2c2Zm1qd0kK03R6jpoZSyzEbubjGidgPdLj4ur7voyX\ntCnbIuHE1XyAzUNHXRmh2neVpJZizEcvePgyBx008tUg2Bm0h7ywUQ==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-09-13T21:09:48Z",
+        "mac": "ENC[AES256_GCM,data:lhhx8KwISfglzFwxyt4DHnwwoVWkI+FZsQvHKPvHgVqdAI67gUO2cZUQVv2gRq5WRYyfehBkJO0aJKtzrTG/ocmwDomIcTsuHy9ibNrFqjTxGCBwRLmJ+Mk8yutjkRhERolscdg42w/0/kf46h09+wpRcXfGU+0CY7WTXXNrYo8=,iv:rKYJyp86NRlcTL3nDaYeFDMPFRSJ70eyfTON5tuO2z8=,tag:bhfA4BgIWvhmEUenNREkQQ==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}
--- a/cluster/apps/authentication/glauth/config/server.sops.toml
+++ b/cluster/apps/authentication/glauth/config/server.sops.toml
@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:78oUuR7O9j8wqKKiTrCbg1QNVB2a+i3CWgNDNM38zQNDO/LZ3juQkda5rRZsvvH9ovGwsIVo+nk2omMLY5FUceFxQFssXYH5EGgPOA9cXYtbql8jdbp0Lh/41RAC3+WrEe3Pj/5/Qyl+1rMgQPg2JJf7KudJRt4whA6Lkehd3147Au12fMxTpxZpnSczk1MroZwsE+DdQStkVDdzwMA/QvWhnXCDCMcawFrHxrQvmRGOHAyYGomOrPm8WMKSdBpNDMZQFg1pjORK/QQ3LzeQpnoJ25iu/fA9OfpyYsbhryk2asOCyA==,iv:SZ1DXCoib5E9PurrC622tAcELIxxWGiensfZTVKFzXw=,tag:lDDsTO/Y5mXfEqyAJ0z0jQ==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Mk9heFBGdDdueGFkT3Va\nS1pyMC8wOGJDSTJ3d3JPSjNnTVkzYVJ0eTJJCjVoUy8wMXdPc3Myc2JaalZ2ZG9Q\nc3J4QldvZlJqMFN4WnhvYnJmZXVuNjAKLS0tIDR5K08rWmJvR1VSSjVHUFdWNjRK\nWHd4Ny9ubjVIZ0V1SXhTMnJFN3hCK00KvH0z/ys31lAX2pYNt2JdWqPSDhp4PKEn\nbQ1Z99aG5DedV/4KqOH3L9bvHl3M5am0MiKW/CngOfN9M49bWwQ6VQ==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-09-13T21:10:04Z",
+        "mac": "ENC[AES256_GCM,data:rKjnXHgG5ws0WdcGmTXpZ7PPGm2UIhVASqQ8K6Vtadws2g4M5OOk2JYI9sKjpnGd/Ht0pssBBpLWbqcwV2M2Ug96tkiDMRHHT7vgw4X5Y9NmnYt+5/An7ynsudraAr9AvjRS7Xux03OIPc7LjzOtCv4BIDyFR7vPj5+7opdedC0=,iv:3VPRTkVPL640URtVG5SxLKXE0/Pe3RORttfmnU0AYY0=,tag:Fcl2j31dKdCUwvfozWpRTw==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}
--- a/cluster/apps/authentication/glauth/config/users.sops.toml
+++ b/cluster/apps/authentication/glauth/config/users.sops.toml
@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:oVTmrHJKhuu11gADtjwZmE7UX05mVTsHkuC7XHkljkf21YJzSoiVStCOR6lZPdGFnOrWwwl+Yxxcs2alP/3G1SBkOtcv4zswDy/M3nr0BbMVBU9MmcFFFt9k0DfKWYyvhjea4uooPTRDH+shUKBG1wGiZyFQRLxrET5+ERwFsEEej5p35/I6HZbp3S7kT0tY0ThxbDt+/u3zwvR/2riWDscKy/75m3UIacnhS97MiOVe/Pv08b64wPg9ES62EV++VRsRFUBW7BrECeXDJfhVerBLmZBsxAxif2DqpOwxNnYqvAdMN/lSnr2mqtmSXP/i2Mg9KENe/i4ZoIFTdau3lBTyw8Fi86aOKkbyq4RqO5ZQ1kr/YtrJfL7I/i5nAXsF1UcyTWBscK1glWUq7vqr6/HOU8gPg3tSNgfTwvDxlXgXxl+bYDgRe5iHxNSvymiDH1Wf8AmlC2uFn9T+r515rMnWw64+FgVa60XCBn2t5IlXmnpNnO6k1U5Ce7jwU4EiDzljrwCKnUy7lSUtLdawaroIxuF0MTVS+kNoXpMXIgX3MBDKEQNIR9l65EK6wQm5QdzjhXOZzNeVEHK4p8dho84D3W9jyvl4VAtH3L5VeDT5PH2y33PXo4F5qHbArEwtkfz6r2aoJM+7hSLV4Er/Lu2+vaUuCRYJDxwdun/r6DoaGrEnNmrTo8OloQG1YdHDNiSN0xD+wdG0w/Iir/GGthW7QqwHjWrwTaunkgVS+g/e+jv4ILBdciWNc40ieazsPvaI+MRi+Hu4hKGRinFEKlv0ydeo53P8dEONsYk+jk5GkqHNynLDfNZ5kdT7K9yQcVJEE0X9a0JCCAIqDTP47YbhPpnmDfpf85LwWsXS/wS+Q04BvBn+09J2wQ==,iv:0S6oUJiSwAEkf5CIxA/y9Oga9vYU415gvJgnq91nXo8=,tag:RF3h6nOtjYRCOYmUYbDbZg==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaHV4Z0l3TjdRTTNZZ3Bi\nd1NlVW5LRjNNRWcvV3ZEdndGK3FvaHJIUzNvClBKMk9ramhuNEZaK0l2OGhQS1Rl\nUWJKM1Q2ajNXc3BWSjRvVEdhMmRHRVEKLS0tIG9jWktVeWhJZnFDYXpEcStGbFBG\nUHFZazNMYlRGRjZ3eWcvWGNRc2tDa2sKWWPURYhrSLSFllErtv4kqlbwVwFm6C4H\nWEBjUkuR4IrV4iN21St1mGvJt7BNzksPOIanHiyV/X8UzM+2MtZ33g==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-09-13T21:59:06Z",
+        "mac": "ENC[AES256_GCM,data:KxDoqYhcWY5VsmMSLiOlfTyVwta/7nKS4rGwyyoa/Kzwl1hNp0R+oQhhqPesple1zbtIPDVJJYY+dtQT74X6uBlCLxzFrB1zRu9nOPK3LIutMkcXAab3AdD7ZP8OjdCcXsyVj+xO+DtK0EvnZxFi6wMEQK54FEWCMIGmuLLBpLg=,iv:y8wkX6/itIeLniKjxtHIhgMe/zB27ieu/HFOtt6Nlwg=,tag:JJCGe3ycl6Omg2zWl6b72A==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}
--- a/cluster/apps/authentication/glauth/helm-release.yaml
+++ b/cluster/apps/authentication/glauth/helm-release.yaml
@@ -0,0 +1,64 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app glauth
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 0.1.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s-charts
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  values:
+    controller:
+      replicas: 1
+      strategy: RollingUpdate
+    image:
+      repository: docker.io/glauth/glauth
+      tag: v2.1.0
+    command: ["/app/glauth", "-c", "/config"]
+    service:
+      main:
+        ports:
+          http:
+            port: 5555
+          ldap:
+            enabled: true
+            port: 389
+    podSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+      fsGroupChangePolicy: "OnRootMismatch"
+    persistence:
+      config:
+        enabled: true
+        type: secret
+        name: *app
+        items:
+          - key: server.toml
+            path: server.toml
+          - key: groups.toml
+            path: groups.toml
+          - key: users.toml
+            path: users.toml
+    podAnnotations:
+      secret.reloader.stakater.com/reload: *app
+    resources:
+      requests:
+        cpu: 5m
+        memory: 10Mi
+      limits:
+        memory: 50Mi
--- a/cluster/apps/authentication/glauth/kustomization.yaml
+++ b/cluster/apps/authentication/glauth/kustomization.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - helm-release.yaml
+secretGenerator:
+  - name: glauth
+    files:
+      - server.toml=config/server.sops.toml
+      - groups.toml=config/groups.sops.toml
+      - users.toml=config/users.sops.toml
+generatorOptions:
+  disableNameSuffixHash: true